1. Securing Custom Web Applications
What sort of login URL do you typically use? Here are some common ones: domain.com/manager, domain.com/admin, domain.com/cms, domain.com/login, domain.com/signin, domain.com/cm. There are a lot more common URLs but you should always come up with something different, at least less conventional. If you are trying to find someones login screen for their web site, you can easily try typing one of the previously mentioned URLs into your web browser and see what comes up. You may find that the web site has set up their login at one of those URLs. Sure it may be password protected, but now a hacker has access to your login screen and can begin trying to hack into the system. If it is a custom web application have you prepared for SQL Injection Attacks, XSS, and other common hacker techniques? Make sure you test for it, but regardless it makes me nervous knowing that hackers may be trying to hack into my web application.
2. Securing Open Source Installations
Further to my previous point, what if you have installed a common open source application like WordPress, MovableType, phpMyAdmin, Drupal, MediaWiki or some other popular application. These applications are commonly installed at default locations like wp, admin, phpMyAdmin, or other folders which gives hackers a good guess at where your login screen is. Because these applications are open source hackers can easily find old security flaws in the code and then exploit them if you haven’t yet upgraded your system. So next time you install one of these applications, install them to a unique directory that will be different than the default location. You’ll fend of most hacking attempts right away.
3. Prevent SQL Injection Attacks
As I mentioned above, SQL Injection attacks can grant a hacker direct access to your entire web application. Rather than me taking the time to explain fully how SQL Injection attacks work, it would be best to do some searching online and read about it to protect yourself from the common attacks. In a nutshell, make sure you are escaping variable data before you run SQL scripts to return login information for your system.
4. Linking To Open Source Software
It’s great to link to those open source applications to give them credit. They deserve it, but do you know how easy it is to find a list of blogs that use WordPress? Just use a search engine to find web sites that link to WordPress.org and you’ll find thousands of blogs that link back to WordPress because they use the popular blogging software. Now a hacker has a list of potential wordpress blogs to exploit. So as another precaution, try not to link back to the software you’re using. It is great to give credit where it’s due, but you don’t want to mark your site as a potential hacking victim.
5. Create A Login Screen
I still see tons of new clients with existing sites whose entire back-end does not even have a login. That is just asking for trouble, and shows the lack of knowledge the previous developer had.
6. Don’t Use Internet Explorer
Internet Explorer is vulnerable to spyware, adware and other security issues that make it a potential security threat itself if the user’s of your system are not web or computer savvy. When training your clients on your new web application, I’d recommend they install Firefox or alternative web browser when using the web application.
7. Update Your Open Source Applications
Another no brainer, but commonly skipped by developers, especially when they set it up for their clients. If you do maintain any web sites that use this software, let them know that you need to check regularly for updates and install them on their web site. It may be an extra service you provide that they need to pay for, but after explaining it to them properly you shouldn’t have any problem convincing them of the value.
8. Encrypt with SSL
Encrypt your web application with SSL to avoid any one “listening” to the data you’re transmitting back and forth. This is another way hackers can gain usernames and passwords easily and get full access to your application.
9. Change Your Password Often
This is something that you typically get resistance from because people don’t want to have to remember a new password every couple weeks/months.
10. Use Strong Passwords
Don’t use “password”, your last name, first name, or any other common password or actual word for logging into your system. A good password doesn’t make any sense and is hard to remember! Use something with upper and lower case letters, digits, and punctuation to help prevent against dictionary attacks. They’re easy to come up with, just hit all a bunch of random buttons on your keyboard. Here’s some: ‘sad7f$RF894$3’, ‘af4c$AF34’, ‘CVa34F3’, ‘Vgf45g$%g’, and ‘asdfj34F#$f’.
Why You Should Secure Your Web Applications
You shouldn’t have to preach this to your clients or yourself, but I do get a lot of people saying “who is going to care about my site?”, or “no one will know about my back-end so there’s no need in securing it.” Yes I do get these comments, and more than likely your competition won’t be trying to hack into your web app, but hackers don’t tend to care who’s sites they break into. Furthermore they really want to find web applications of smaller web sites so they can break in and use your site for storage space as the smaller web sites with smaller budgets will more commonly be vulnerable to hacker attempts. Thinking that your competition will be trying to break in to your site specifically is not the right way of thinking about it, it’s more about people looking for random storage space, link spammers, people trying to hack into sites just for the fun of it, or others trying to break into open source installations for experimental or bragging-rights purposes. Whether it’s your site specifically or someone else’s usually doesn’t matter to them.